<?php

@session_start();
require_once 'shared-functions.php';
require_once 'session.php';
require_once 'masterpage.php';

masterpage("Change Password");

if (!IsValidSession()) {
    header('Location: login.php?page=edit-profile');
    exit();
}
else
{
    RefreshSession();
}

if (!isset($_GET['id']) && !isset($_POST['UserId'])) {
    header('Location: edit-profile.php');
}

if (GetCurrentUserAccessLevel() != $DIRECTOR && GetCurrentUserAccessLevel() != $ADMIN) {
    $id = "";
    if (isset($_POST['UserId'])) {
        $id = $_POST['UserId'];
    } else if (isset($_GET['id'])) {
        $id = $_GET['id'];
    }
    if ($id != GetSessionUser()) {
        $msg = "Can't access the change password page for someone else" . $id;
    }
}
$msg = "";
$link = connect_db();

//if director requests password reset
if ((GetCurrentUserAccessLevel() == $DIRECTOR || GetCurrentUserAccessLevel() == $ADMIN)
    && isset($_POST['mode']) && $_POST['mode'] == "reset") {
    $query = "SELECT *
                    FROM `User`
                    WHERE `UserId` = '" . $_POST['UserId'] . "'";
    $result = mysql_query($query, $link);
    if (mysql_num_rows($result) != 1) {
        $msg = "Password not reset. user not found.";
    }
    else
    {
        $student = mysql_fetch_row($result);
        $hash = gen_passwd_hash($student[1]);
        $query = "UPDATE `User` SET `Password` = '" . $hash . "' WHERE `UserId` = '" . $_POST['UserId'] . "'";
        $result = mysql_query($query, $link);
        if (!$result) {
            $msg = "Password reset unsuccessful";
        } else
        {
            $msg = "Password reset successful";
        }
    }
} 
else if (isset($_POST['UserId']) && isset($_POST['txtCPass']) && isset($_POST['txtPass']) && isset($_POST['txtPass2'])) 
//Change password logic
{
    //if all the fields aren't filled
    if ($_POST['txtCPass'] != "" && $_POST['txtPass'] != "" && $_POST['txtPass2'] != "") {
        //Get the id from post or get
        if (isset($_POST['UserId'])) {
            $id = $_POST['UserId'];
        }
        else
        {
            $id = $_GET['id'];
        }

        //Check to see if the user's password matches what's in the database
        $hash = gen_passwd_hash($_POST['txtCPass']);
        $query = "SELECT * FROM `User` WHERE `Password` = '" . $hash . "' AND `UserId` = '" . trim($id) . "'";
        $result = mysql_query($query, $link);

        //if the user's password is correct, then we can change their password
        if (mysql_num_rows($result) >= 1) {

            //Check if the new password and it's confirmation match
            if ($_POST['txtPass'] == $_POST['txtPass2']) {
                //update password
                $hash = gen_passwd_hash($_POST['txtPass']);
                $query = "UPDATE `User` SET `Password` = '" . $hash . "' WHERE `UserId` = '" . trim($id) . "'";
                $result = mysql_query($query, $link);
                if (!$result) {
                    $msg = "Unsuccessful password change.";
                }
                $msg = "Password successfully changed.";
            }
            else //If new password and confirm password don't match
            {
                $msg .= "New password and confirm password must match. Please try again.";
            }
        }
        else //If wrong password entered
        {
            $msg .= "Invalid current password. Cannot change password.";
        }
    }
    else //If all the fields aren't filled
    {
        $msg = "Unsuccessful password change. You must enter in values for the fields below.";
    }
}
?>


<?php
    $id = "";
    if (isset($_POST['UserId'])) {
        $id = $_POST['UserId'];
    } else if (isset($_GET['id'])) {
        $id = $_GET['id'];
    }
?>
<form action="change-password.php" method="post">
    <input type="hidden" name="UserId" value=" <?php echo $id; ?>"/>
<?php
    echo '<a href="edit-profile.php?id='.$id.'">&lt;&lt; Back to Edit Profile</a><br />';
    if ($msg != "") {
    echo '<span>' . $msg . '</span><p />';
}
    ?>
    <table>
        <tr>
            <th>Change Password</th>
        </tr>
        <tr>
            <td>
                Current Password:
            </td>
            <td>
                <input type="password" id="txtCPass" name="txtCPass" size="15">
            </td>
        </tr>

        <tr>
            <td>
                New Password:
            </td>
            <td>
                <input type="password" id="txtPass" name="txtPass" size="15"/>
            </td>
        </tr>

        <tr>
            <td>
                Confirm New Password:
            </td>
            <td>
                </label><input type="password" id="txtPass2" name="txtPass2" size="15"/>
            </td>
        </tr>
        <tr>
            <td colspan="2">
                <input type="submit" value="Change"/>
                </form>
                <?php
                    if ((GetCurrentUserAccessLevel() == $DIRECTOR || GetCurrentUserAccessLevel() == $ADMIN) && isset($_GET['id'])) {
                        echo '
                                <form action="change-password.php" method="post">
                                    <input type="hidden" name="UserId" value="' . $_GET['id'] . '" />
                                    <input type="hidden" name="mode" value="reset" />
                                    <input type="submit" value="Reset Password to Username" />
                                </form>';
                    }
                    else
                    {
                        echo '&nbsp;';
                    }
                ?>
            </td>
        </tr>
    </table>
</form>
<?php


endmasterpage();
?>